Yellow Dog Security Advisory: YDU-20030127-3

yellowdog-updates@lists.terrasoftsolutions.com yellowdog-updates@lists.terrasoftsolutions.com
Mon, 27 Jan 2003 01:08:28 -0700 (MST) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	vim
Issue Date:	January 27, 2003
Priority:	medium	
Advisory ID: 	YDU-20030127-3


1. 	Topic:

	Updated vim packages are available.


2. 	Problem:

	"VIM (Vi IMproved) is a version of the vi editor.

	VIM allows a user to set the modeline differently for each edited text
	file by placing special comments in the files. Georgi Guninski found
	that these comments can be carefully crafted in order to call external
	programs. This could allow an attacker to create a text file such that
	when it is opened arbitrary commands are executed.

	Users of VIM are advised to upgrade to these errata packages which
	have been patched to disable the usage of dangerous functions in
	modelines."
	(from Red Hat Advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install vim

   	b) Updating manually...
	Download the updates below and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			ppc/vim-common-6.1-17.7x.2a.ppc.rpm
			ppc/vim-enhanced-6.1-17.7x.2a.ppc.rpm
			ppc/vim-minimal-6.1-17.7x.2a.ppc.rpm
			ppc/vim-X11-6.1-17.7x.2a.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
b286bd901010634b69a8fd09e7dfb785  ppc/vim-common-6.1-18.7x.2a.ppc.rpm
804e3f6b21255656acaa07b48bff276e  ppc/vim-enhanced-6.1-18.7x.2a.ppc.rpm
d525f6f668095b93f4d7cfa9194fff5c  ppc/vim-minimal-6.1-18.7x.2a.ppc.rpm
f9da0f1d03ece2214b80b6558bb7cc8f  ppc/vim-X11-6.1-18.7x.2a.ppc.rpm
c150247335affb03eab1ca01b7eb45d7  SRPMS/vim-6.1-18.7x.2a.src.rpm


I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml